Vulnerabilities > CVE-2010-4530 - Numeric Errors vulnerability in Muscle Pcsc-Lite 1.5.3

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Signedness error in ccid_serial.c in libccid in the USB Chip/Smart Card Interface Devices (CCID) driver, as used in pcscd in PCSC-Lite 1.5.3 and possibly other products, allows physically proximate attackers to execute arbitrary code via a smart card with a crafted serial number that causes a negative value to be used in a memcpy operation, which triggers a buffer overflow. NOTE: some sources refer to this issue as an integer overflow.

Vulnerable Configurations

Part Description Count
Application
Muscle
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-0162.NASL
    descriptionThis update fixes the following security issue : An integer overflow, leading to array index error was found in the way USB CCID (Chip/Smart Card Interface Devices) driver processed certain values of card serial number. A local attacker could use this flaw to execute arbitrary code, with the privileges of the user running the pcscd daemon, via a malicious smart card with specially crafted value of its serial number, inserted to the system USB port. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id51517
    published2011-01-14
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51517
    titleFedora 14 : ccid-1.4.0-2.fc14 (2011-0162)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2013-1323.NASL
    descriptionFrom Red Hat Security Advisory 2013:1323 : An updated ccid package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Chip/Smart Card Interface Devices (CCID) is a USB smart card reader standard followed by most modern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers, which follow this standard. An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card
    last seen2020-06-01
    modified2020-06-02
    plugin id70285
    published2013-10-03
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70285
    titleOracle Linux 5 : ccid (ELSA-2013-1323)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201401-16.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201401-16 (CCID: Arbitrary code execution) CCID contains an integer overflow vulnerability in ccid_serial.c. Impact : A physically proximate attacker could execute arbitrary code via a smart card with a specially crafted serial number. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id72071
    published2014-01-22
    reporterThis script is Copyright (C) 2014-2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72071
    titleGLSA-201401-16 : CCID: Arbitrary code execution
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_PCSC-CCID-110121.NASL
    descriptionAn integer overflow in pcsc-ccid and a buffer overflow in pcsc-lite while handling smart card responses have been fixed. CVE-2010-4530 / CVE-2010-4531 have been assigned to these issues. Additionally a new device ID for card readers was added.
    last seen2020-06-01
    modified2020-06-02
    plugin id51844
    published2011-02-02
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51844
    titleSuSE 11.1 Security Update : pcsc-lite (SAT Patch Number 3889)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2013-1323.NASL
    descriptionAn updated ccid package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Chip/Smart Card Interface Devices (CCID) is a USB smart card reader standard followed by most modern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers, which follow this standard. An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card
    last seen2020-06-01
    modified2020-06-02
    plugin id79152
    published2014-11-12
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79152
    titleCentOS 5 : ccid (CESA-2013:1323)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2013-0523.NASL
    descriptionFrom Red Hat Security Advisory 2013:0523 : An updated ccid package that fixes one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Chip/Smart Card Interface Devices (CCID) is a USB smart card reader standard followed by most modern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers, which follow this standard. An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card
    last seen2020-06-01
    modified2020-06-02
    plugin id68759
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68759
    titleOracle Linux 6 : ccid (ELSA-2013-0523)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-0523.NASL
    descriptionAn updated ccid package that fixes one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Chip/Smart Card Interface Devices (CCID) is a USB smart card reader standard followed by most modern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers, which follow this standard. An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card
    last seen2020-06-01
    modified2020-06-02
    plugin id64770
    published2013-02-21
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/64770
    titleRHEL 6 : ccid (RHSA-2013:0523)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20130221_CCID_ON_SL6_X.NASL
    descriptionAn integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card
    last seen2020-03-18
    modified2013-03-05
    plugin id65008
    published2013-03-05
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65008
    titleScientific Linux Security Update : ccid on SL6.x i386/x86_64 (20130221)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-1323.NASL
    descriptionAn updated ccid package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Chip/Smart Card Interface Devices (CCID) is a USB smart card reader standard followed by most modern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers, which follow this standard. An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card
    last seen2020-04-16
    modified2013-10-01
    plugin id70247
    published2013-10-01
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70247
    titleRHEL 5 : ccid (RHSA-2013:1323)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20130930_CCID_ON_SL5_X.NASL
    descriptionAn integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card
    last seen2020-03-18
    modified2013-10-11
    plugin id70388
    published2013-10-11
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70388
    titleScientific Linux Security Update : ccid on SL5.x i386/x86_64 (20130930)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2013-0523.NASL
    descriptionAn updated ccid package that fixes one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Chip/Smart Card Interface Devices (CCID) is a USB smart card reader standard followed by most modern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers, which follow this standard. An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card
    last seen2020-06-01
    modified2020-06-02
    plugin id65154
    published2013-03-10
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65154
    titleCentOS 6 : ccid (CESA-2013:0523)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_LIBPCSCLITE1-110105.NASL
    descriptionAn integer overflow in pcsc-ccid and a buffer overflow in pcsc-lite while handling smart card responses have been fixed. CVE-2010-4530 and CVE-2010-4531 have been assigned to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id53754
    published2011-05-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53754
    titleopenSUSE Security Update : libpcsclite1 (openSUSE-SU-2011:0092-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-0143.NASL
    descriptionThis update fixes the following security issue : An integer overflow, leading to array index error was found in the way USB CCID (Chip/Smart Card Interface Devices) driver processed certain values of card serial number. A local attacker could use this flaw to execute arbitrary code, with the privileges of the user running the pcscd daemon, via a malicious smart card with specially crafted value of its serial number, inserted to the system USB port. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id51516
    published2011-01-14
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51516
    titleFedora 13 : ccid-1.3.11-2.fc13 (2011-0143)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_LIBPCSCLITE1-110105.NASL
    descriptionAn integer overflow in pcsc-ccid and a buffer overflow in pcsc-lite while handling smart card responses have been fixed. CVE-2010-4530 and CVE-2010-4531 have been assigned to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id75602
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75602
    titleopenSUSE Security Update : libpcsclite1 (openSUSE-SU-2011:0092-1)

Redhat

advisories
  • bugzilla
    id664986
    titleCVE-2010-4530 CCID: Integer overflow, leading to array index error when processing crafted serial number of certain cards
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • commentccid is earlier than 0:1.3.9-6.el6
        ovaloval:com.redhat.rhsa:tst:20130523001
      • commentccid is signed with Red Hat redhatrelease2 key
        ovaloval:com.redhat.rhsa:tst:20130523002
    rhsa
    idRHSA-2013:0523
    released2013-02-20
    severityLow
    titleRHSA-2013:0523: ccid security and bug fix update (Low)
  • bugzilla
    id664986
    titleCVE-2010-4530 CCID: Integer overflow, leading to array index error when processing crafted serial number of certain cards
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • commentccid is earlier than 0:1.3.8-2.el5
        ovaloval:com.redhat.rhsa:tst:20131323001
      • commentccid is signed with Red Hat redhatrelease key
        ovaloval:com.redhat.rhsa:tst:20131323002
    rhsa
    idRHSA-2013:1323
    released2013-09-30
    severityLow
    titleRHSA-2013:1323: ccid security and bug fix update (Low)
rpms
  • ccid-0:1.3.9-6.el6
  • ccid-debuginfo-0:1.3.9-6.el6
  • ccid-0:1.3.8-2.el5
  • ccid-debuginfo-0:1.3.8-2.el5